How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

Corporations respond to financial penalties. Perhaps direct financial penalties included in contracts would motivate these companies to actively protect their data and networks.

Considering the number of these kinds of breaches the Gov. should consider applying the same kind of rules that they would to individuals who don't properly secure sensitive information, including penalties.

Corporations respond to financial penalties. Perhaps direct financial penalties included in contracts would motivate these companies to actively protect their data and networks.

Considering the number of these kinds of breaches the Gov. should consider applying the same kind of rules that they would to individuals who don't properly secure sensitive information, including penalties.

Unless China paid more for them to stick a thumb up their ass and say "durrrr, I do-no" When people complain.

Corporations respond to financial penalties. Perhaps direct financial penalties included in contracts would motivate these companies to actively protect their data and networks.

Considering the number of these kinds of breaches the Gov. should consider applying the same kind of rules that they would to individuals who don't properly secure sensitive information, including penalties.

Well that's quite true until they see criminal prosecutions maybe. If the facts described here are true, some of these people could be prosecuted as traitors to the nation or some similar equivalent.

How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

I love reading and being reminded of that whole HBGary ordeal. There was such a constant "Crash-and-burn" feel to it. I found it particularly interesting because of some of the highly specialized products that they made at that company, and how spectacularly it failed at implementing it's own recommended security measures.

They were a great reminder that it's important to practice what you preach, at least, in my opinion. I think their entire problem started because of a very simple SQL injection attack, and their top administrators had very simple password schemes.

Back to the point of the article, being incompetent with security in cyberspace is going to yield far more damaging results as we move forward in this world. With such a monstrous reliance on computers and technology, security loopholes are going to yield greater finds for larger parties, and we should pay careful attention to this..

Except their trade secret on how to produce a consumer product at the lowest possible cost that will not break in shipping but WILL break precisely upon its third use. AND the witchcraft they must use that compels Americans to buy another one...

I think it's high time to bring the LOC (Loss Of Contract) hammer down on these contractors that don't take the time to secure or properly monitor their network security arrangements.

Simply put, if a contractor gets hacked in a manner that results in the loss of sensitive data, you lose the contract for the system that was jeopordized, and they would be required to return all funding provided for the specified project.

Then put them on a watchlist. If the contractor gets hacked a second time, resulting in the loss of sensitive data, then they lose ALL of their defense contracts and get banned from competing in bids until they can prove they've reworked their IT infrastructure to properly secure their data.

How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

Unfortunately, a lot of this comes down to governments favoring "who you know" vs. "what you know". Connections win out over competence, a great deal of the time...

How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

Unfortunately, a lot of this comes down to governments favoring "who you know" vs. "what you know". Connections win out over competence, a great deal of the time...

Not to mention that this form of sweet heart dealing is especially typical in the military-industrial complex areas. I'm not saying it isn't ever seen elsewhere, but it's at ridiculous levels in the military-industrial area. We pay crazy amounts of tax dollars to keep a bunch of cronies happy and wealthy, and it got worse when things got more privatized, rather than better. At least when it was in house it was more likely to get scrutinized, and if it came to attention it might actually get dealt with, especially with recent pushes for internal accountability and efficiency.

When it got moved more to contractors, suddenly it's as if no one was responsible, no one knew there was an issue even, and because it went through some form of bidding process it's considered completely legitimatized.

I personally was writing about the revelation of massive Chinese hacking of all US federal government computers exposed to the Internet in 2007. This was after years of warning the world that the Red Hacker Alliance had been extremely active hacking everything in reach since 1998, the year the USA granted China 'Most Favored Nation' status. That the US feds got caught PWNed by the Chinese in 2007 was deplorable.

But to have a defense contractor ignore what was blatantly obvious, to be warned about their specific machines having already been PWNed and ignoring the well known problem for years, is sheer, deliberate incompetence.

Kill this company quick! They're a detriment to mankind. It doesn't get worse.

How incompetent of a government/government agency do you have to be to continue working with a company who's failed to secure their infrastructure 6 years after you warned them it was breached?

A lot of it was not by choice. QinetiQ has been on a major acquisition spree the last couple decades . The government contracts out something to a small US R&D company, is very happy, then the company is bought by QinetiQ, has loads of bureaucracy added on time and prices increased. So the government starts looking for other suppliers, rinse & repeat.

It's like consumers trying to get away from AT&T mobile or Earthlink dialup only to have every company the move to eaten up by the giant within a year.

The trade-off here is that we also need to be prepared to spend a *lot* more for defense-related stuff. Security is not cheap and even more importantly, strong security measures usually radically drop productivity, making everything much more expensive.

Note, upgrading from terrible security to mediocre security is not nearly so drastically expensive, but *high* security, where *every* single transaction must be verified and counter-verified, is just nightmarish. Sort of like the difference between owning a house (remember to lock the doors when you leave) and actively trying to live and work while there are multiple teams of assailants trying to batter down your doors.

Companies and businesses just aren't used to having attackers working 24 hours a day to penetrate their security. Once the cost of failure became zero, continuous attacks from the electronic criminal world became viable. The only limitation is whether you have anything worth stealing.

Corporations respond to financial penalties. Perhaps direct financial penalties included in contracts would motivate these companies to actively protect their data and networks.

Considering the number of these kinds of breaches the Gov. should consider applying the same kind of rules that they would to individuals who don't properly secure sensitive information, including penalties.

Well that's quite true until they see criminal prosecutions maybe. If the facts described here are true, some of these people could be prosecuted as traitors to the nation or some similar equivalent.

Only if they can present evidence in secret, *and* that whoever controls access to said evidence wants there to be a trial. Somehow those who control the evidence *NEVER* want this type of thing in the open.

How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

Unfortunately, a lot of this comes down to governments favoring "who you know" vs. "what you know". Connections win out over competence, a great deal of the time...

This.

Take for example weapons procurement. Billions are wasted regularly on weapons, systems, and other ideas that simply are not well implemented. When a lobbyist sends something to a member of Congress about a new system, they don't really send anything about how potent or how effective that system is, they send a map of where the jobs are. The other thing that is done is to distribute these jobs as widely as possible so that whenever a Congress member opposes it, they can be accused of "putting their constituents out of work".

The end result are expensive, ineffective contracts that don't make the US or the world any safer.

I think it's high time to bring the LOC (Loss Of Contract) hammer down on these contractors that don't take the time to secure or properly monitor their network security arrangements.

I think the comments since then have taken care of this, but all you will get with real threats of LOC is companies that are too big to take the contract away from. Even more likely is that once you apply any sort of contract limitations to a company, the now worthless (the skills required to obtain and manage government contracts are expensive, and explodes with higher secrecy levels) company is gobbled up by a larger company. Sooner or later you have a situation like the DoD where everything (at least in some service branches) is Lockheed Martin.

The trade-off here is that we also need to be prepared to spend a *lot* more for defense-related stuff. Security is not cheap and even more importantly, strong security measures usually radically drop productivity, making everything much more expensive.

Note, upgrading from terrible security to mediocre security is not nearly so drastically expensive, but *high* security, where *every* single transaction must be verified and counter-verified, is just nightmarish. Sort of like the difference between owning a house (remember to lock the doors when you leave) and actively trying to live and work while there are multiple teams of assailants trying to batter down your doors.

Companies and businesses just aren't used to having attackers working 24 hours a day to penetrate their security. Once the cost of failure became zero, continuous attacks from the electronic criminal world became viable. The only limitation is whether you have anything worth stealing.

This.

They're probably being irresponsible security-wise, but its not exactly as simple as saying, "make it secure!" This shit is expensive, as well as being a tremendous burden on productivity. I know some big defense contractors don't have internet access, except for email. I'm a programmer, and I can't imagine how I could possibly get anything done without google and stack overflow.

Hate seeing companies getting hacked like that, and they should take some steps to stop it for sure, but its not like someone forgot to turn on the "secure" light when they showed up for work in the morning.

I recently dealt with an IT idiot. when I pointed out a security flaw, he did the same thing most IT admins I've dealt with do... Waved his arms, beat his chest and told md how good he was- it appears to go with the territory. Without a doubt, QinetiQ's IT department are incompetent (and yes, I've dealt with QinetiQ).The problem withQinetiQ is that they know certain things VERY well. Threatening to pull the pin on their contract is not feasible. At present, they're a small, specialized player that can service multiple larger players - which benefits DOD.QinetiQ need to sack their IT dept, but I suspect it won't help (frying pans and fires). Public embarrassment looks like the best option.

At this point, between protracted development times and state-level industrial espionage leveraged against comparatively small commercial entities (Once you get to the sub-sub-contractor level, chances are good you're dealing with a fairly small business) it's a wonder that any classified programs actually manage to stay classified all the way into service.

I think it's high time to bring the LOC (Loss Of Contract) hammer down on these contractors that don't take the time to secure or properly monitor their network security arrangements.

Simply put, if a contractor gets hacked in a manner that results in the loss of sensitive data, you lose the contract for the system that was jeopordized, and they would be required to return all funding provided for the specified project.

Then put them on a watchlist. If the contractor gets hacked a second time, resulting in the loss of sensitive data, then they lose ALL of their defense contracts and get banned from competing in bids until they can prove they've reworked their IT infrastructure to properly secure their data.

A little harsh for the first incident. Plus this would motivate contractors to take advantage of "unfortunate incidents" that get their competitor's contracts terminated. Most likely these incidents would occur with regularity so long as they are guaranteed to open up contracts.

I would support such a policy for dealing with contractors that have an excessive number of incidents within a certain time period. Say, more than one major incident in 5 years? And they would have to submit to and pay for a 3rd party security audit afterward.

How incompetent of a government do you have to be to spin off your defence research unit for less than market value and then buy back the exact work they provide without a bidding process for obscene cash?

Unfortunately, a lot of this comes down to governments favoring "who you know" vs. "what you know". Connections win out over competence, a great deal of the time...

Not to mention that this form of sweet heart dealing is especially typical in the military-industrial complex areas. I'm not saying it isn't ever seen elsewhere, but it's at ridiculous levels in the military-industrial area. We pay crazy amounts of tax dollars to keep a bunch of cronies happy and wealthy, and it got worse when things got more privatized, rather than better. At least when it was in house it was more likely to get scrutinized, and if it came to attention it might actually get dealt with, especially with recent pushes for internal accountability and efficiency.

When it got moved more to contractors, suddenly it's as if no one was responsible, no one knew there was an issue even, and because it went through some form of bidding process it's considered completely legitimatized.

Interesting tidbit: Dwight Eisenhower coined the phrase "Military-Industrial Complex" in one of the farewell addresses given toward the end of his administration. As he prepared the original draft of this address, he penned the phrase: "Military-Industrial-Congressional Complex". Various advisers convinced him to remove "Congressional" from the catch phrase on the basis that it was too politically contentious to remain.

Having led in 1st the military arena & then the political, he developed very clear insights to trends that were emerging even then. Possessing a thoughtful & reasoned intellect, he understood the implications of what would come to pass should such a corrosive alliance be accepted & allowed to evolve.

Eisenhower was every bit as human as the rest of us & was far from perfect. But being a principled citizen who hoped for a unified national progression toward higher ideals, he cautioned against tolerating the narrowly focused & tightly held concentrations of wealth, power & resources finding expression in a Military-Industrial-Congressional complex.